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1 A Tale of Two Clocks 

A friend of ours, who was a brilliant mathematician, has been hospitalized because of 
long-term abuse of hallucinogenic drugs. We decide to give him a digital clock for his 
room. However, his doctor suggests that the hour and minute displays together might 
be too confusing. So, we put tape over the minute display, turning our gift into a digital 
hour clock. 

We present the clock to our friend, who asks what it is supposed to do. Although he 
has lost his memory of everyday objects, his mathematical abilities are undiminished. 
So, we give him a mathematical explanation. Since the drugs have destroyed his sense 
of time, we do not have to relate the behavior of the clock to real time; we need only 
explain the sequence of numbers displayed by the clock. We describe the clock by 
saying that this sequence must be some sequence of values for the variable hr allowed 
by the temporal-logic formula Sh defined as follows. 

Init H = hr e {1,..., 12} (1) 
N H = hr' = (hr mod 12) + 1 
S H = Init H aDN h 

Being an expert in temporal logic, our friend understands that the formula InitH de- 
scribes the initial state, and the formula DN H asserts that every successive pair of states 
satisfies the relation TV h, where unprimed values refer to the first state and primed val- 
ues refer to the second. We end our visit, leaving him happily watching the clock and 
checking that it satisfies Sh- 

When we next visit the hospital, the doctor tells us that our friend has improved 
considerably, so we can remove the tape and make the clock's minute display visible. 
We do so, and our friend requests a new specification that describes both the minute 
and hour displays. We choose the variable min to represent the minute display, and we 
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give him the obvious formula Sm defined as follows. 

Init M = (ftre{l 12}) A (minG{0 59}) (2) 

N m = A min' — min + 1 mod 60 

A hr' — if min — 59 then (hr mod 12) + 1 else hr 

Sm = InitM A □7V M 

Our friend is puzzled and asks how removing the tape could change the behavior of the 
hour display. He explains that if removing the tape didn't change the hour display's 
behavior, then its sequence of values should still satisfy the original specification Sh- 
After all, Sh does not imply the absence of a minute display, so it should be true 
for any sequence of values for hr allowed by the new specification Sm- But it isn't. 
Formula Sh asserts that the value of hr should change in every successive state, while 
formula Sm asserts that there are fifty-nine successive states with the same value of 
hr. 

We realize that he is right; our specification Sh is wrong. We must modify it to 
allow steps that leave H unchanged. Because we might one day give him a new clock 
with a second display, we must also modify Sm to allow steps that leave both hr and 
min unchanged. To save a bit of writing, we introduce the notation that [N]f is an 
abbreviation for N V (f — /), where /' is the expression obtained by priming all the 
free variables in / . We now redefine Sh and Sm by 

S H = Init H Aa[N H ]hr 

Sm — InitM A □[J\ f n](/ir,mi») 

Our mathematician friend understands that (hr, min)' — (hr, min) iff hr' — hr and 
min' — min, so the subscript ( hr, min ) means that Sm allows steps that leave both hr 
and min unchanged. He knows that the new specification Sh describes the behavior 
that he has already observed in the clock, since by watching only the hour display, 
he couldn't possibly tell whether or not there were steps that didn't change the hour 
display. 

However, our friend is sad. The new specifications allow behaviors in which, after 
a while, the display stops changing, and he so enjoys watching the numbers change. 
We tell him not to worry because the actual specifications are 

S H = Init H A U[N H ] hr A WF hr (N H ) (3) 

Sm — InitM A □[J\ f n](/ir,mi») A WF^r,min ) (N m) 

where the WF formulas assert that the clock keeps advancing forever. Once we explain 
the precise meaning of WF, our friend is quite happy. He easily deduces the simple 
theorem 

S M =► S H (4) 

and he knows that this theorem means that if the clock satisfies the specification Sm, 
then it also satisfies the specification Sh, so the hour display does indeed continue 

'He is already familiar with our notation of representing conjunctions as lists of formulas bulleted by A. 
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to behave as before. We remind him that (4) is, by definition, what it means for the 
specification Sm to implement the specification Sh- 

Our friend enjoys his clock, and spends days doing little but watching it and verify- 
ing that it satisfies the specification Sm- Then, one day, a violent patient at the hospital 
breaks it. So, we purchase a brand new clock and send it to him. On our next visit, 
we find our friend distraught. The new clock does not satisfy the specification Sm - He 
explains that one time the clock changed from 7:59 to 7:00, and later it jumped directly 
from 7:00 to 8:00. Examining the clock, we discover that, on the hour, both displays do 
not change simultaneously. There can be a noticeable instant between when the minute 
and hour displays change. To our friend, with his distorted sense of time, that instant 
seems very long. 

To pacify him, we must specify the new clock. We realize that, if we want to write 
the same kind of specification as before, we must add another variable to distinguish 
whether the clock reads 7:00 because it really is 7:00, or because it is in the middle 
of changing from 7:59 to 8:00. We use the boolean variable chg that will be true iff 
the clock is in the middle of changing the hour, and we present our friend with the 
following specification IS l- 

InitL = InitM^^chg 

Min = A —<chg V (min — 59) 

A min' — (min + 1) mod 60 

A dig' — —>chg A (min — 59) 

A hr' = hr 

Hr = A (—•dig A (min — 59)) V (chg A (min — 0)) 

A hr' = (hr mod 12) + 1 

A chg' — (min = 59) 

A min' = min 
N L = Min V Hr 

IS L — InitL A □[TV h\hr,min, chg) (hr,min,chg)(N l) 

Our friend looks puzzled and asks us where he should look for the value of chg. We tell 
him that it's just a specification variable, and doesn't necessarily correspond to anything 
on the actual clock. "Well, why doesn't your specification say so?" he demands. So, 
we define a new specification Sl by 

S L = 3 chg : IS L (5) 

Formula S l asserts that the clock acts as if there were a sequence of values for chg 
for which IS l is satisfied; it says nothing about the actual values of chg. (We write 3 
instead of 3 to indicate that we are asserting the existence of a sequence of values, not 
just a single value.) A clock satisfies Sl iff it acts exactly the same as the clock you 
would get by building a device with hr, min, and chg displays that satisfies IS l, and 
then putting tape over the chg display. 

Reminded of the definition of 3, our friend observes that Sh is equivalent to 
3 min : Sm- Formula Sh is indeed the specification of our first gift — the old clock 
with tape over the minute display. 
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Our new specification does not make him happy. He liked the orderly progression 
of times on his old clock, and a sequence like 7:59, 8:59, 8:00 seems bizarre to him. 
He wishes he had his old clock back. Although we can't replace the old clock, we can 
do something almost as good: we can explain how to interpret any behavior of the new 
clock as a "virtual" behavior of the old clock. We offer to do this by writing a formula 
R lh that contains the variables hr and min as well as a new variable min. To interpret 
a sequence of values of hr and min produced by the new clock as a virtual behavior of 
the old clock, he just has to find a sequence of values of min so that R lh is satisfied. 
He can then consider the sequence of hr and min values to be a behavior of the old 
clock. 

Our friend agrees that this would make him happy if formula R lh satisfies two 
conditions. The first is that, if the sequence of hr and min values satisfies S l, then the 
resulting sequence of hr and min values should satisfy Sm ■ Mathematically, this is 
expressed by 

Sl a Rlh =>• S M (6) 

where Sm is the formula obtained by substituting min for min in Sm- But this condi- 
tion by itself would allow us to cheat — for example, by letting R lh be FALSE. Formula 
R lh must also satisfy the condition that, for any sequence of values of hr and min 
satisfying S l, there must be some sequence of values of min satisfying Rlh- In other 
words, the following must be true. 

Sl => 3 min : Rlh (7) 

We tell him he is right, and that when (6) and (7) hold, we say that S l implements Sm 
under the refinement R lh ■ We then define R lh by 

Rlh = a mm = mm 

min = if hr' ^ hr 



A □ 



then 0 

else if min' — 0 then min 
else min' 



{hr, min, min) 



Being a brilliant mathematician, he quickly verifies (6) and (7). In fact, he points out 
that the following result, which implies (7), is true. 

3 min : Rlh (8) 

Now that he understands what the refinement is, he realizes that there is another way to 
obtain it. Formula Sl implies the existence of a sequence of values for chg satisfying 
IS l- We can therefore use chg to define min. First, define min by 

min = if (min — 0) A chg then 59 else min) 

and then define the virtual variable min to equal the expression min, which is a simple 
function of min and chg. This is an easier way to define the refinement because it 
requires writing no new temporal formulas. 
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Our friend is actually using the alternative refinement R LH defined by 

Rlh = (3 c/i<? : IS l A □(mm = min)) (9) 

Since S l equals 3 dig : IS l, and the variable min does not occur in IS l, the proof 
of (7) with this definition of R lh requires no mathematical brilliance. Moreover, to 
prove (6), it suffices to prove the simpler theorem 

IS l ^Jm~ (10) 

where Sm is the formula obtained by substituting the expression min for the variable 
min in Sm- (Observe that Sm contains the variables hr, min, and dig, while formula 
Sm in (6) contains the variables hr, min, and min.) 

Finally, our friend notes that since dig does not occur in Sm, (10) implies 

(E dig : IS l) : Sm) (H) 

But S l is defined to equal 3 dig : IS l, and he already observed that 3 min : Sm is 
equivalent to S h, so (11) implies that Sl implements Sm- 



2 In General 

Let us now leave our friend to his recovery and generalize from his clocks. Although 
we have used TLA [4] to specify the clocks, everything generalizes to any method in 
which the meaning of a specification is a set of sequences of states. 

We are given a higher-level specification Sh and a lower-level specification Sl 
defined by 

Sh = 3 h : ISh 
S l = 31: IS L 

where h and I are sequences of variables. 2 In the clock example, ISh was called 
Sm- We say that Sl implements Sh iff Sl implies Sh- For this to make sense, a 
specification needs to be invariant under stuttering, meaning that it is satisfied by a 
behavior er iff it is satisfied by any behavior obtained from a by adding or deleting 
steps that leave the state unchanged. 

To prove that Sl implies Sh, we first rename bound variables if necessary so that 
no variable of h occurs free in IS l- (In our example, we renamed the bound variable 
min of Sh to min.) Then Sl implies Sh iff the following formula is true. 

IS L ^3h : IS H (12) 

To prove (12), we must show that IS l implements IS h under some refinement Rlh, 
which by definition means proving 

ISlaRlh^ISh (13) 
IS L ^3h:R L H (14) 

2 If h is the sequence h \ , . . . , h m of variables, then 3 h : IS h is an abbreviation for 3 h \ , . . . , h „ : IS h , 
which is in turn an abbreviation for 3 h\ : . . . 3 h n : ISh- 
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Since no variable in h occurs free in ISl, (14) is equivalent to 3 h : (ISl =>• Rlh)- 
Hence, by replacing Rlh with IS l => Rlh, we can always replace (14) by the 
stronger condition 

3/i : Rlh (15) 

Proving that (13) and (14) imply (12) is a simple exercise in predicate logic. To prove 
the converse, that (12) implies the existence of a refinement Rlh satisfying (13) and 

(14) , we simply take R LH to be ISh- 

The simplest type of refinement is a refinement mapping, in which R lh equals 
n(h — h), where h is some state function not containing the variables h. In that case, 

(15) obviously holds, and (13) is equivalent to 

IS l =► 7S~h~ (16) 

where ISh is the formula obtained from ISh by replacing the variables h with the 
state function h. All the free variables of ISh will be free variables of IS l- 

The validity of (12) implies the existence of a refinement R lh, but not necessarily 
the existence of a refinement mapping. The existence of an arbitrary refinement R lh 
is of no help, since (14) has exactly the same form as the formula (12) that we have to 
prove. So, we need a method that is more general than refinement mappings but eas- 
ier than using an arbitrary refinement. We generalize the alternative clock refinement 
defined in (9), replacing dig by an arbitrary sequence a of new variables and IS l by 
some formula IS a L which implements ISh under a refinement mapping. It must be 
easy to prove 

IS L =>■ 3 a : IS a L (17) 
and we must be able to find a refinement mapping for which we can prove 

IS a L =► IS^ (18) 

(Even though no refinement mapping exists under which ISl implements ISh, a re- 
finement mapping satisfying (18) can exist because it can mention the variables a.) 
Predicate logic reasoning shows that, if the variables a do not occur free in IS l, then 
(17) and (18) imply (12). This approach is equivalent to defining 

Rlh = (3 a : IS a L A D(h = h)) 

If 3 a : ISI i s equivalent to IS l instead of just implied by it, then we say that ISI * s 
obtained from IS l by adding the auxiliary variables a. 

The most common type of auxiliary variable is a history variable, in which the 
value of a at any point in a behavior depends only on the current and previous values 
of the free variables of ISl- Simple rules for adding auxiliary variables — that is, rules 
for constructing ISI from IS l so that 3 a : ISI * s equivalent to IS l — have been used 
for decades [5]. Another kind of auxiliary variable is a stuttering variable, which adds 
steps that do not change any of the variables of IS l- In our clock example, we would 
use a stuttering variable to prove that Sh implies 3 min : S u- A more complicated 
type of auxiliary variable is a prophecy variable, whose value can depend on future 
values of the variables of IS l- 
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A theorem of [ 1 ] asserts that, under certain conditions, fairly simple rules for adding 
auxiliary variables suffice to guarantee the existence of a refinement mapping for prov- 
ing any valid formula of the form (12). More complicated rules allow those conditions 
to be weakened [2, 3]. However, there do not yet exist rules for adding auxiliary vari- 
ables that are both simple and sufficiently general to handle all known examples. 
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